The Hacker News — Cyber Security, Hacking, Technology News

If you receive an email that looks like it's from one of your friends, just beware! It's possible that the email has been sent by someone else in an attempt to compromise your system.

A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms.

Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse "From" header.

Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person.

In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC.

To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States.

"Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email," Haddouche says in his blog post.

"We've seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms."

Besides spoofing, the researcher found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities, which stems from the email spoofing issue.

Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it.

Here you can find the list of all email and web clients (both patched and unpatched) that are vulnerable to MailSploit attack.

However, Mozilla and Opera consider this bug to be a server-side issue and will not be releasing any patch. Mailbird closed the ticket without responding to the issue, while remaining 12 vendors did not yet comment on the researcher's report.

A security researcher has discovered an interesting loophole in Gmail Android app that lets anyone send an email that looks like it was sent by someone else, potentially opening doors for Phishers.

This is something that we call E-mail Spoofing – the forgery of an e-mail header so that the email appears to have originated from someone other than the actual source.

Generally, to spoof email addresses, an attacker needs:

A working SMTP (Simple Mail Transfer Protocol) server to send email

A Mailing Software

However, an independent security researcher, Yan Zhu, discovered a similar bug in official Gmail Android app that allowed her to hide her real email address and change her display name in the account settings so that the receiver will not be able to know the actual sender.

How to Send Spoofed Emails via Gmail Android App?

To demonstrate her finding, Zhu sent an email to someone by changing her display name to yan ""security@google.com" (with an additional quote). You can see the below screenshot posted by Zhu on her Twitter timeline.

"[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible," Zhu told Motherboard.

Once received, the email address could trick the receiver into believing that the mail has arrived from a legitimate Gmail security team, which is not.

Google – 'The Bug isn't a Security Vulnerability'

Zhu reported the loophole to Google's Security team at the end of October, but the team disapproved her bug report, saying the bug is not a security vulnerability.

"Thanks for your note, we do not consider this [bug] to be a security vulnerability," a Google Security Team member told Zhu.

Learn to Read Email message headers, and Trace IP addresses – Tracking down the source of spam is a good practice. When you receive a suspicious email, open the header, and see if the IP address of the sender matches up with previous emails from the same person.

Never Click on a Suspicious Link or Download an Unfamiliar Attachment – Always pay attention to the emails you receive and avoid clicking links in email or downloading email attachments. Go to your bank's official website, or other websites directly from the browser and log into your account to find what they want you to see.

If you are a user of the American On-Line (AOL) mail service then you are advised to change your password as soon as possible.

AOL Inc. on Monday confirmed the company suffered a massive data breach that may have affected a "significant number" of email accounts.

The company has issued a warning to users that their personal information including email addresses, postal addresses, address books, encrypted passwords and the encrypted answers to security question-answers, has been stolen by attackers, the New York-based company said Monday.

"The ongoing investigation of this serious criminal activity is our top priority," AOL said in a blog post. "We are working closely with federal authorities to pursue this investigation to its resolution. Our security team has put enhanced protective measures in place, and we urge our users to take proactive steps to help ensure the security of their accounts."

AOL said it began investigating the matter after it noticed a spike in spoofed emails from AOL user accounts. The company believes that hackers used the contact information to send spoofed emails that appear to come from roughly 2 percent of its email accounts.

"Spoofed" emails are kind of phishing emails or messages that masquerade itself as if they have come from legitimate user accounts known to the recipient in order to trick the recipient into opening it, but in real are the links to malicious websites or malware.

The company believes that neither the financial data of users such as credit and debit cards number, nor the passwords or the answer to the security questions has been revealed as the hackers weren’t be able to break the encryption.

"Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken," AOL wrote. "In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted."

Nevertheless, AOL suggests all its users to reset their passwords and also change their security questions and answers in order to protect themselves from such breaches.

"Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer," AOL said.

In addition, it also provided some steps to protect its users from cyber threats:

Do not click on any suspicious links or attachments in the email you received.

When in doubt, contact the sender to confirm that he or she actually sent the email to you or not.

Never provide your personal or financial information through an email to someone you do not know.

AOL will never ask you for your password or any other sensitive personal information over an email.

If you found yourself a victim of spoofing, inform your friends that your emails may have been spoofed and warn them to avoid clicking the links in suspicious emails.

Twitter announced via its blog today that it has begun using a new method called Domain-based Message Authentication, Reporting and Conformance (DMARC) to help prevent email phishing.

DMARC is actually a standard for preventing email spoofing, in order to make it harder for attackers to send phishing emails that appear to come from twitter.com addresses. Sometimes it’s not easy to figure out if an email is legitimate or not. It implementing the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) email message validation and authentication systems.

Twitter says it started using the DMARC earlier this month. While the DMARC specification does need support from e-mail services, outfits including AOL, Gmail, Hotmail or Outlook and Yahoo already make use of it. It has also been implemented by services like Facebook, PayPal, Amazon and now Twitter.

If you don’t use Gmail or one of the other email providers listed above, you may not be protected. It might be a good time to migrate your email service to one of these for better security or ask your email provider to add DMARC support too.

For instance, if you see an email from support.twitter.com asking you to type in your account info, you should know to delete the email and report it, as Twitter will never ask you for such information.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!